The Microsoft Detection and Response Team (DART) says it detected an increase in password spray attacks targeting privileged cloud accounts and high-profile identities such as C-level executives.
Password spraying is a type of brute force attack where the attackers attempt to gain access to large lists of accounts using a small number of commonly used passwords.
These attacks often use the same password while switching from one account to another to find easy to breach accounts and avoid triggering defenses like password lockout and malicious IP blocking (when using a botnet).
This tactic makes it less likely to trigger an account lock as it happens when they’re targeted in classic brute-forcing attacks that quickly try to log into a small number of accounts by going through an extensive password list, one account at a time.
“Over the past year, the Microsoft Detection and Response Team (DART), along with Microsoft’s threat intelligence teams, have observed an uptick in the use of password sprays as an attack vector,” DART said.
“Recently, DART has seen an uptick in cloud administrator accounts being targeted in password spray attacks, so understanding the targets is a good place to start.”
DART recommends enabling and enforcing multi-factor authentication (MFA) across all accounts whenever possible and adopting passwordless technology to drastically lower the risk of account compromise when targeted by such attacks.
Admins and high profile accounts increasingly targeted
As Microsoft revealed one year ago, password spray attacks are among the most popular authentication attacks amounting to over a third of enterprise account compromises, according to Alex Weinert, Director of Identity Security at Microsoft.
DART has seen a wide array of administrator accounts with various permissions being targeted in recent password spray attacks.
The list of most popular targets includes accounts ranging from security, Exchange service, global, and Conditional Access administrators to SharePoint, helpdesk, billing, user, authentication, and company admins.
Besides this type of privileged accounts, threat actors have also attempted to compromise identities with a high profile (including C-level executives) or access to sensitive data.
“It is easy to make exceptions to policy for staff who are in executive positions, but in reality, these are the most targeted accounts. Be sure to apply protection in a democratic way to avoid creating weak spots in configuration,” DART added.
In July, the NSA revealed that the Russian state-backed Fancy Bear hacking group launched password spray attacks against U.S. and foreign organizations, including the U.S. government and Department of Defense agencies, from Kubernetes clusters.
Microsoft also said earlier this month that it spotted both Iran-linked DEV-0343 and the Russian-sponsored Nobelium groups using password sprays in attacks targeting defense tech companies and managed service providers (MSPs) or cloud service providers, respectively.